[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Security release procedures

From: Daniel Shahaf <d.s_at_daniel.shahaf.name>
Date: Thu, 29 Aug 2019 00:36:09 +0000

Julian Foad wrote on Wed, 28 Aug 2019 11:41 +00:00:
> * Drop the CVE? (steps 8, 15, 16)
>
> For cases that are not looking like a very high severity, we could
> omit the CVE process and much of the formal description associated with
> it. CVEs are a Good Thing, but they do require extra effort and we don't
> have to do that for every vulnerability.
>
> Instead, on a case by case basis, we could choose to omit the CVE
> (even drop it after initially requesting one) and summarize the issue at
> a lesser level of detail.

I don't follow. There is a distinction between "the issue has a CVE name",
"the issue has an advisory", and "the issue's fixed is developed on private@
[using either the security-by-obscurity process or the confidential process]".
Which of these three do you propose to do away with?
Received on 2019-08-29 02:36:36 CEST

This is an archived mail posted to the Subversion Dev mailing list.